{"id":"https://openalex.org/W7146995263","doi":"https://doi.org/10.1109/cnml68938.2026.11453069","title":"VOAPI2: a Vulnerability-Oriented Testing Framework for RESTful APIs","display_name":"VOAPI2: a Vulnerability-Oriented Testing Framework for RESTful APIs","publication_year":2026,"publication_date":"2026-01-30","ids":{"openalex":"https://openalex.org/W7146995263","doi":"https://doi.org/10.1109/cnml68938.2026.11453069"},"language":null,"primary_location":{"id":"doi:10.1109/cnml68938.2026.11453069","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cnml68938.2026.11453069","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2026 International Conference on Communication Networks and Machine Learning (CNML)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5132643866","display_name":"L\u00fcbin Xu","orcid":null},"institutions":[{"id":"https://openalex.org/I180662265","display_name":"China Mobile (China)","ror":"https://ror.org/05gftfe97","country_code":"CN","type":"company","lineage":["https://openalex.org/I180662265"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"L\u00fcbin Xu","raw_affiliation_strings":["China Mobile Group Yunnan Co., Ltd.,China"],"affiliations":[{"raw_affiliation_string":"China Mobile Group Yunnan Co., Ltd.,China","institution_ids":["https://openalex.org/I180662265"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5023901732","display_name":"Zhuolin Zeng","orcid":null},"institutions":[{"id":"https://openalex.org/I180662265","display_name":"China Mobile (China)","ror":"https://ror.org/05gftfe97","country_code":"CN","type":"company","lineage":["https://openalex.org/I180662265"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhuolin Zeng","raw_affiliation_strings":["China Mobile Group Yunnan Co., Ltd.,China"],"affiliations":[{"raw_affiliation_string":"China Mobile Group Yunnan Co., Ltd.,China","institution_ids":["https://openalex.org/I180662265"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5132669033","display_name":"Zhen Tang","orcid":null},"institutions":[{"id":"https://openalex.org/I180662265","display_name":"China Mobile (China)","ror":"https://ror.org/05gftfe97","country_code":"CN","type":"company","lineage":["https://openalex.org/I180662265"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhen Tang","raw_affiliation_strings":["China Mobile Group Yunnan Co., Ltd.,China"],"affiliations":[{"raw_affiliation_string":"China Mobile Group Yunnan Co., Ltd.,China","institution_ids":["https://openalex.org/I180662265"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5132652655","display_name":"Biao Xiao","orcid":null},"institutions":[{"id":"https://openalex.org/I139759216","display_name":"Beijing University of Posts and Telecommunications","ror":"https://ror.org/04w9fbh59","country_code":"CN","type":"education","lineage":["https://openalex.org/I139759216"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Biao Xiao","raw_affiliation_strings":["Beijing University of Posts and Telecommunications,School of Cyberspace Security,Beijing,China"],"affiliations":[{"raw_affiliation_string":"Beijing University of Posts and Telecommunications,School of Cyberspace Security,Beijing,China","institution_ids":["https://openalex.org/I139759216"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5132570748","display_name":"Dong Chen","orcid":null},"institutions":[{"id":"https://openalex.org/I180662265","display_name":"China Mobile (China)","ror":"https://ror.org/05gftfe97","country_code":"CN","type":"company","lineage":["https://openalex.org/I180662265"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Dong Chen","raw_affiliation_strings":["China Mobile Communications Group Co., Ltd.,Beijing,China,100033"],"affiliations":[{"raw_affiliation_string":"China Mobile Communications Group Co., Ltd.,Beijing,China,100033","institution_ids":["https://openalex.org/I180662265"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5132643866"],"corresponding_institution_ids":["https://openalex.org/I180662265"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.94588878,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"389","last_page":"393"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.4700999855995178,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.4700999855995178,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.16509999334812164,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.07530000060796738,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/stateful-firewall","display_name":"Stateful firewall","score":0.7160000205039978},{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.6582000255584717},{"id":"https://openalex.org/keywords/correctness","display_name":"Correctness","score":0.5302000045776367},{"id":"https://openalex.org/keywords/application-programming-interface","display_name":"Application programming interface","score":0.5174000263214111},{"id":"https://openalex.org/keywords/security-testing","display_name":"Security testing","score":0.4997999966144562},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.48190000653266907},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.40549999475479126},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.39169999957084656},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.3752000033855438},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.3499999940395355}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8363999724388123},{"id":"https://openalex.org/C22927095","wikidata":"https://www.wikidata.org/wiki/Q1784206","display_name":"Stateful firewall","level":3,"score":0.7160000205039978},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.6582000255584717},{"id":"https://openalex.org/C55439883","wikidata":"https://www.wikidata.org/wiki/Q360812","display_name":"Correctness","level":2,"score":0.5302000045776367},{"id":"https://openalex.org/C99613125","wikidata":"https://www.wikidata.org/wiki/Q165194","display_name":"Application programming interface","level":2,"score":0.5174000263214111},{"id":"https://openalex.org/C195518309","wikidata":"https://www.wikidata.org/wiki/Q13424265","display_name":"Security testing","level":5,"score":0.4997999966144562},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.48190000653266907},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.40549999475479126},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.39169999957084656},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.3752000033855438},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.36570000648498535},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.3549000024795532},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.3499999940395355},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.3407000005245209},{"id":"https://openalex.org/C165136773","wikidata":"https://www.wikidata.org/wiki/Q1363179","display_name":"Single point of failure","level":2,"score":0.3345000147819519},{"id":"https://openalex.org/C77109596","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Application security","level":5,"score":0.3292999863624573},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.32710000872612},{"id":"https://openalex.org/C2777210771","wikidata":"https://www.wikidata.org/wiki/Q4927124","display_name":"Block (permutation group theory)","level":2,"score":0.32510000467300415},{"id":"https://openalex.org/C150451098","wikidata":"https://www.wikidata.org/wiki/Q506059","display_name":"SQL injection","level":5,"score":0.3151000142097473},{"id":"https://openalex.org/C93996380","wikidata":"https://www.wikidata.org/wiki/Q44127","display_name":"Server","level":2,"score":0.30880001187324524},{"id":"https://openalex.org/C164554305","wikidata":"https://www.wikidata.org/wiki/Q71550","display_name":"Application server","level":2,"score":0.30570000410079956},{"id":"https://openalex.org/C126831891","wikidata":"https://www.wikidata.org/wiki/Q221673","display_name":"Host (biology)","level":2,"score":0.3027999997138977},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.30000001192092896},{"id":"https://openalex.org/C2778717966","wikidata":"https://www.wikidata.org/wiki/Q4189076","display_name":"Protection mechanism","level":3,"score":0.29820001125335693},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.29580000042915344},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.2924000024795532},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.28349998593330383},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.2833999991416931},{"id":"https://openalex.org/C146222976","wikidata":"https://www.wikidata.org/wiki/Q1204997","display_name":"Business logic","level":2,"score":0.2793999910354614},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.2732999920845032},{"id":"https://openalex.org/C110251889","wikidata":"https://www.wikidata.org/wiki/Q1569697","display_name":"Model checking","level":2,"score":0.2718999981880188},{"id":"https://openalex.org/C11392498","wikidata":"https://www.wikidata.org/wiki/Q11288","display_name":"Web server","level":3,"score":0.27149999141693115},{"id":"https://openalex.org/C168065819","wikidata":"https://www.wikidata.org/wiki/Q845566","display_name":"Debugging","level":2,"score":0.25949999690055847},{"id":"https://openalex.org/C127613066","wikidata":"https://www.wikidata.org/wiki/Q557770","display_name":"Web API","level":4,"score":0.25519999861717224},{"id":"https://openalex.org/C22111027","wikidata":"https://www.wikidata.org/wiki/Q1070427","display_name":"Internet security","level":4,"score":0.2506999969482422},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.25049999356269836}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/cnml68938.2026.11453069","is_oa":false,"landing_page_url":"https://doi.org/10.1109/cnml68938.2026.11453069","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2026 International Conference on Communication Networks and Machine Learning (CNML)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.5710617303848267,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":3,"referenced_works":["https://openalex.org/W4224983044","https://openalex.org/W4409171443","https://openalex.org/W4412151941"],"related_works":[],"abstract_inverted_index":{"With":[0],"the":[1,89,129,246],"rapid":[2],"proliferation":[3],"of":[4,15,183,187,209,250],"Web":[5],"services,":[6],"RESTful":[7,41,80,251],"APIs":[8,20,81],"have":[9],"become":[10],"a":[11,35,75,109,150,158,181,196,239],"fundamental":[12],"building":[13],"block":[14],"modern":[16],"software":[17],"systems.":[18],"As":[19],"increasingly":[21],"expose":[22],"critical":[23],"business":[24],"logic":[25],"and":[26,49,51,95,135,166,194,241,248],"sensitive":[27],"data,":[28],"ensuring":[29],"their":[30],"security":[31,58,85,211,224,253],"has":[32],"emerged":[33],"as":[34,64],"pressing":[36],"challenge.":[37],"However,":[38],"most":[39],"existing":[40,189],"API":[42,93,101,123,144,164,191,218,252],"testing":[43,111,192,219,237],"tools":[44],"primarily":[45],"emphasize":[46],"functional":[47],"correctness":[48],"robustness,":[50],"thus":[52],"often":[53],"fail":[54],"to":[55],"effectively":[56],"uncover":[57],"vulnerabilities":[59,212],"that":[60,82,103,113,142,162,205,213,226,235],"do":[61],"not":[62],"manifest":[63],"obvious":[65],"crashes":[66],"or":[67],"server":[68,176],"errors.In":[69],"this":[70],"paper,":[71],"we":[72],"present":[73],"VOAPI2,":[74],"vulnerability-oriented":[76,236],"inspection":[77],"framework":[78,130],"for":[79,244],"explicitly":[83],"targets":[84],"flaws":[86],"by":[87,118,216,230],"leveraging":[88],"intrinsic":[90],"relationship":[91],"between":[92],"functionality":[94],"vulnerability":[96,151],"types":[97],"[1].":[98],"Unlike":[99],"conventional":[100],"fuzzers":[102],"explore":[104],"endpoints":[105,117],"indiscriminately,":[106],"VOAPI2":[107,155,184,206],"adopts":[108],"guided":[110],"strategy":[112],"first":[114],"identifies":[115],"security-critical":[116],"analyzing":[119],"semantic":[120],"cues":[121],"in":[122],"specifications.":[124],"Based":[125],"on":[126,174,185,199],"these":[127],"cues,":[128],"generates":[131],"vulnerability-specific":[132],"attack":[133],"payloads":[134],"embeds":[136],"them":[137],"into":[138],"state-aware":[139],"request":[140],"sequences":[141],"respect":[143],"execution":[145],"dependencies.To":[146],"accurately":[147],"determine":[148],"whether":[149],"is":[152,207,238],"successfully":[153],"triggered,":[154],"further":[156],"incorporates":[157],"feedback-driven":[159],"verification":[160],"mechanism":[161],"analyzes":[163],"responses":[165],"observable":[167],"side":[168],"effects":[169],"rather":[170],"than":[171],"relying":[172],"solely":[173],"generic":[175],"error":[177],"codes.":[178],"We":[179],"implement":[180],"prototype":[182],"top":[186],"an":[188],"stateful":[190],"engine":[193],"conduct":[195],"preliminary":[197],"evaluation":[198],"real-world":[200],"APIs.":[201],"The":[202],"results":[203],"demonstrate":[204],"capable":[208],"discovering":[210],"are":[214],"missed":[215],"state-of-the-art":[217],"tools,":[220],"including":[221],"previously":[222],"unknown":[223],"issues":[225],"were":[227],"later":[228],"confirmed":[229],"developers.":[231],"These":[232],"findings":[233],"indicate":[234],"practical":[240],"effective":[242],"direction":[243],"improving":[245],"coverage":[247],"efficiency":[249],"testing.":[254]},"counts_by_year":[],"updated_date":"2026-04-02T13:53:19.096889","created_date":"2026-04-02T00:00:00"}